cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Dependency-Graph in Dependency-Track not working after MERGE - Docker image - Kali Linux

Open almitte opened this issue 2 years ago • 5 comments

Hello,

after merging SBoMs with the CLI the Dependency-Graph in Dtrack for that SBoM is only showing the first hierarchy level (the primary-components of the merged SBoMs), but not any of the components that make up these components. The Dependency-Graphs are working for each individual SBoM just fine. The "component"-metadata is set in each individual sbom and the bom-refs of these first hierarchy level components are also showing up in "Dependencies" in the final SBoM.

Here is the code I have used: docker run -v /home/kalimitteuser/Downloads:/work cyclonedx/cyclonedx-cli merge \ --input-files /work/2.json /work/1.json /work/3.json --version 1.139.16 \ --name application --hierarchical --output-file /work/sbom_all.json

It results in this output: Processing input file /work/2.json Contains 168 components Processing input file /work/1.json Contains 292 components Processing input file /work/3.json Contains 156 components Writing output file... Total 3 components

I think the problem is with the last line "Total 3 components". Can I insert an option like "--hierarchical all" or something like that? Maybe this is even a Dtrack problem as there are something around 350 components inside that SBoM?

Thanks in advance.

almitte avatar Apr 01 '22 07:04 almitte

@almitte It is a DependencyTrack issue, see: https://github.com/DependencyTrack/dependency-track/issues/2411 DependencyTrack does not recursively handle components in components. A fix was merged, and DependencyTrack version 4.8 (once it is released) should handle it correctly.

andreas-hilti avatar Apr 16 '23 09:04 andreas-hilti

@almitte : did you get a chance to test version 4.8 of DT to check if it fixes your issue ?

sebastienDelcoigne avatar Apr 25 '23 15:04 sebastienDelcoigne

I am still seeing the described behavior in 4.8.2

john-funk avatar Sep 06 '23 14:09 john-funk

I tested DT 4.8.0 using the foobar BOM included in issue 2411 and they worked as expected. I then upgraded to 4.8.2 API/4.8.1 UI and checked on the project, things still looked OK. I deleted the project, created a new one and re-uploaded the BOM again, it still worked.

@Jay-Funk, I suggest attaching your sample BOM as there is a small chance the merge went wrong somehow. Without being able to inspect the BOM, no one can say for sure. People may also need the command(s) you ran to perform the merge. If you are absolutely certain the BOM is fine (or it is determined here that they are), and the foobar BOM included in 2411 works for you; please open an Dependency-Track issue providing your failing BOMs and referencing 2411. Maybe there is an edge case my patch doesn't cover, or there has been a regression I am simply not seeing.

Edit: This comment in DT issue 1385 shows how to validate the BOM with CycloneDx. The foobar BOM validates correctly.

roadSurfer avatar Sep 07 '23 09:09 roadSurfer

@almitte - if this is still failing for you, then please consider opening a Dependency-Track issue (or adding your BOM to Jay's).

roadSurfer avatar Sep 07 '23 09:09 roadSurfer